ci(gitlab): Improve GitLab reliability

[lucasssvaz]

Description of Change

This pull request improves the security, reliability, and maintainability of the GitHub Actions and GitLab CI workflows for hardware and Wokwi tests. The main changes focus on securely deriving workflow variables, using trusted sources for PR metadata, enhancing artifact download robustness, and updating repository checkout strategies to prevent security risks. The changes also improve environment variable handling and make the workflows more resistant to script injection and network issues.

Security and Trusted Data Handling:

• Refactored the GitHub Actions workflow (.github/workflows/tests_hw_wokwi.yml) to fetch PR metadata (number, base branch, labels) directly from the GitHub API, ensuring only trusted sources are used for security-critical values and preventing potential injection attacks from fork PRs or crafted artifacts. [1] [2]
• Updated comments and logic to clarify that repository checkout uses only trusted branch information, never artifact-derived values, further reducing security risks.

Workflow Variable and Environment Improvements:

• Standardized the use of environment variables across workflow steps, passing values like cache hits, PR labels, and test matrix data via env to ensure consistency and prevent accidental script injection. [1] [2] [3] [4] [5]

Artifact Download Robustness:

• Enhanced the GitLab artifact download script (.gitlab/scripts/get_artifacts.sh) to use curl with retries, connection timeouts, and HTTP/1.1 for better reliability under network issues. [1] [2]

Repository Checkout Strategy:

• Changed the GitLab hardware test workflows (.gitlab/workflows/hardware_tests_dynamic.yml, .gitlab/workflows/hw_test_template.yml) to use git fetch and git checkout with HTTP/1.1 and custom low-speed settings, replacing git clone, to improve reliability and prevent incomplete checkouts. [1] [2]

Job Tagging Logic:

• Updated the hardware job generator script (.gitlab/scripts/gen_hw_jobs.py) to conditionally include the eco_default tag only if matching runners are available, improving job scheduling flexibility.

Test Scenarios

Tested in fork

[github-actions]

	Messages
📖	🎉 Good Job! All checks are passing!

👋 Hello lucasssvaz, we appreciate your contribution to this project!

---

📘 Please review the project's Contributions Guide for key guidelines on code, documentation, testing, and more.

---

🖊️ Please also make sure you have read and signed the Contributor License Agreement for this project.

---

Click to see more instructions ...

This automated output is generated by the PR linter DangerJS, which checks if your Pull Request meets the project's requirements and helps you fix potential issues.

DangerJS is triggered with each push event to a Pull Request and modify the contents of this comment.

Please consider the following:
- Danger mainly focuses on the PR structure and formatting and can't understand the meaning behind your code or changes.
- Danger is not a substitute for human code reviews; it's still important to request a code review from your colleagues.
- To manually retry these Danger checks, please navigate to the Actions tab and re-run last Danger workflow.

Review and merge process you can expect ...

We do welcome contributions in the form of bug reports, feature requests and pull requests.

1. An internal issue has been created for the PR, we assign it to the relevant engineer.
2. They review the PR and either approve it or ask you for changes or clarifications.
3. Once the GitHub PR is approved we do the final review, collect approvals from core owners and make sure all the automated tests are passing.
- At this point we may do some adjustments to the proposed change, or extend it by adding tests or documentation.
4. If the change is approved and passes the tests it is merged into the default branch.

Generated by 🚫 dangerJS against e9f6363

[github-actions]

Test Results

101 files  101 suites   27m 39s ⏱️
 94 tests  94 ✅ 0 💤 0 ❌
833 runs  833 ✅ 0 💤 0 ❌

Results for commit e9f6363.

♻️ This comment has been updated with latest results.

[Copilot]

Pull request overview

This PR hardens and improves reliability of the cross-system CI setup (GitHub Actions → GitLab) used for hardware and Wokwi testing by sourcing trusted PR metadata, strengthening network operations, and adjusting runner/job selection behavior.

Changes:

• GitHub Actions: derive PR/base/labels via GitHub API and standardize passing values via env to reduce injection risk.
• GitLab CI: update checkout and artifact download logic (HTTP/1.1 settings, retries/timeouts) to be more resilient.
• GitLab job generation: conditionally include eco_default tag only when matching runners exist.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
.github/workflows/tests_hw_wokwi.yml	Fetches trusted PR metadata via GitHub API; normalizes env handling; clarifies secure checkout behavior.
.gitlab/scripts/get_artifacts.sh	Adds curl retries/timeouts and forces HTTP/1.1 for more robust artifact fetching.
.gitlab/scripts/gen_hw_jobs.py	Adjusts tag selection to add eco_default only when runners can satisfy it.
.gitlab/workflows/hardware_tests_dynamic.yml	Changes repo checkout flow to fetch/checkout with HTTP settings.
.gitlab/workflows/hw_test_template.yml	Changes per-hardware-job checkout flow to fetch/checkout with HTTP settings.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.